Azure Configuration

Subnets – at least one for VMs (172.30.0.0/24) and one for Gateway (172.30.255.0/29)

Virtual Network Gateway – Azure VPN endpoint with public IP address associated with the Gateway subnet above. Gateway type is VPN, VPN type is Policy-based (this is because Route-based type uses IKE2 which is not supported by NSX platform used by vCloud Director).

Local Network Gateway – vCloud VPN endpoint definition with its public IP address and subnets that should be reachable behind the vCloud VPN endpoint (81.x.x.x, 192.168.100.0/24)

Connection – definition of the tunnel:

Connection type: Site-to-site (IPSec)

Virtual network gateway and local network gateway are straightforward (those created previously)

vCloud Configuration

As explained above we created Policy Based VPN endpoint in Azure. Policy Based VPN uses IKE version 1, Diffie-Hellman Group 2 and no Perfect Forward Secrecy.

However selection of DH group and PFS is not available to tenant in vCloud Director on the legacy Org VDC Edge Gateway. Therefore the following workaround is proposed:

Tenant configures VPN on his Org VDC Edge Gateway with the following:

Name: Azure

Enable this VPN configuration

Establisth VPN to: a remote network

Local Networks: 192.168.100.0/24 (Org VDC network(s))

Peer Networks: 172.30.0.0/24

Local Endpoint: Internet (interface facing internet)

Local ID: 10.0.2.121 (Org VDC Edge GW internet interface)

Peer ID: 51.x.x.x (public IP of the Azure Virtual network gateway)

Peer IP: 51.x.x.x (same as previous)

Encryption protocol: AES256

Shared Key: the same as in Azure Connection definition

Now we need to ask the service provider to directly in NSX in the Edge VPN configuration disable PFS and change DH Group to DH2.

Note that this workaround is not necessary on Org VDC Edge Gateway that has been enabled with Advanced Networking services. This feature is at the moment only in vCloud Air, however soon will be available to all vCloud Air Network service providers.

If all firewall rules are properly set up we should be able to ping between Azure and vCloud VMs.

Hi Tomas,
can you explain differences between Peer Networks and Peer Subnets ?
Let say I have two subnets in my azure eg : 172.16.0.0/24 and 172.18.0.0/24
How do i fill those parameters ?
How about like this,
Peer networks : 17.0.0.0/8
Peer subnets : 172.16.0.0/24, 172.18.0.0/24
CMIIW

I did all setting that I follow your guide, but it doesn’t work. No error found. It display connecting and sucessed on azure. But it doesn’t enter connected status. Where do I see log? or what I can do now?